BlueKeep exploitation expected soon

Topic

New Reply

Several hours ago, there was a lot of noise on Twitter about a Github explanation on how to “weaponize” BlueKeep, triggering fears it could soon be wi
[See the full post at: BlueKeep exploitation expected soon]

6 users thanked author for this post.

Lori, jburk07, NetDef, Myst, SueW, woody

Reply | Quote

Replies

@gborn has also blogged, on borncity.com:
BlueKeep warning: Exploit might come soon?

5 users thanked author for this post.

Lori, NetDef, Myst, SueW, woody

Reply | Quote

Per Vess Bontchev:

…we’re one step closer to a BlueKeep worm – but not very close. I still think that there are considerable chances of it not happening.

6 users thanked author for this post.

walker, jburk07, Myst, Kirsty, OscarCP, SueW

Reply | Quote

We’ve received several anonymous posts about an exploit being posted on Darknet. Sorry, but that just isn’t true – at least, no readily usable exploit. If you know of something that actually works, please email me or DM Kevin Beaumont on Twitter. Color me extremely skeptical.

6 users thanked author for this post.

walker, Myst, Kirsty, Bluetrix, PKCano, geekdom

Reply | Quote

I’ve installed updates that supposedly prevent the BlueKeep hack. Now, I’m going to forget about it as my worry bin is full.

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1413 x64 i5-9400 RAM16GB HDD Firefox112.0b3 MicrosoftDefender

2 users thanked author for this post.

jburk07, OscarCP

Reply | Quote

Kirsty wrote:

@gborn has also blogged, on borncity.com:
BlueKeep warning: Exploit might come soon?

“It is currently estimated that approximately 800,000 systems are still unpatched and accessible via the Internet”

I find it hard to believe that there are this many Windows XP / Vista / 7 / 2003 / 2008 / 2008R2 machines with RDP turned on that are fully exposed to the Internet.

Granted there are plenty of “forgotten” Windows Server installations out there that aren’t getting patched…. but how many of them have a public IP address?

Reply | Quote

I believe they’re coming up with a pretty accurate number using Shodan searches; it’s approximate only because systems are being patched or taken offline on an ongoing basis.

Reply | Quote

So, does this mean there are folks who want this to happen? There’s now an online tutorial explaining how to use BlueKeep on a Microsoft-owned website? Sweet. They might want to do something about that, but then again maybe not.

I’m still waiting for Spectre/Meltdown exploits to be in the wild from a year and a half ago to make all the performance losses from the patches worth it for those who installed them. I guess this online tutorial is an attempt to make sure this isn’t just FUD and something actually comes of it this time.

It’s a shame FUD works so well on people even techies, but if this tutorial does cause exploits to be released into the wild, it’s on a Microsoft-owned site and are therefore responsible for it to some degree, are they not?

3 users thanked author for this post.

Noel Carboni, OscarCP, AngryJohnny75

Reply | Quote

Sessh wrote:

It’s a shame FUD works so well on people even techies, but if this tutorial does cause exploits to be released into the wild, it’s on a Microsoft-owned site and are therefore responsible for it to some degree, are they not?

Just as responsible as Woody is for every word that you and I type here.

Reply | Quote

I highly doubt that. This is a message board. GitHub is a code repository that, in this case, is hosting material that is telling people how to use code maliciously to take over people’s computers and potentially extort them or steal their personal information. Big, big difference. As owners, MS certainly can decide that this is malicious and bad for business. If they know it’s there, what it’s intents are and leaves it there where it ultimately causes damage, they are certainly responsible for taking no action.

Reply | Quote

MS hasn’t taken on the role of content moderation on GitHub (that I can see, at least). There’s plenty of interesting stuff to be found.

Reply | Quote

Who is benefiting, business-wise, from this?

-Noel

1 user thanked author for this post.

Sessh

Reply | Quote

It seems Microsoft would stand to benefit if they can scare a few more of those annoying W7 users into getting Windows 10. Someone certainly seems to want this to happen. I don’t know how else to interpret there being a tutorial showing exactly how to use it while almost certainly knowing how it will be used and who it will be used on.

Reply | Quote

That’s an extraordinarily long bow to draw!

woody wrote:

Naw. If you think MS could organize something like this to drive Win10 migrations, you’re waaaaaaaaay overestimating their ability.

The Microsoft conspiracy theories are out of place in a security issue, as I read Woody’s comment.

1 user thanked author for this post.

woody

Reply | Quote

It also doesn’t make any sense.

The tutorial doesn’t explain how to use BlueKeep, although it does fill in some gaps. There will be an exploit sooner or later, and the exploiter may rely on the Github stuff to come up with a working example. But MS isn’t aiding and abetting, and they certainly didn’t create the problem in the first place.

Microsoft has nothing to gain from a BlueKeep exploit. Nothing. As you know, I am quick to lambaste Microsoft when they deserve it. (Sometimes too quick.) This isn’t one of those times.

3 users thanked author for this post.

Kirsty, columbia2011, Myst

Reply | Quote

“Are you protected?”

It might be worthwhile to edit the article to add a reminder after that question of how you get protected. Most people don’t remember from one month to the next which update does what or whether they’ve installed it.

2 users thanked author for this post.

Mele20, Charlie

Reply | Quote

If you have the May SMQR (and or June) installed you’re covered.
Group B patches need to have the May SO updates installed.

More info over at Computerworld – Woody on Windows

Keep IT Lean, Clean and Mean!

3 users thanked author for this post.

woody, Charlie, Seff

Reply | Quote

Yep. It’s that simple – if you’re running

• Windows XP (including Embedded)
• Windows Server 2003, Server 2003 Datacenter Edition
• Windows 7
• Windows Server 2008, Server 2008 R2

You need to get patched now. There ARE NO EXPLOITS currently making the rounds, but you should get your system fixed. Very likely that we’ll see an exploit sooner or later.

See my article from two months ago, https://www.computerworld.com/article/3395538/if-youre-running-windows-xp-7-or-associated-servers-patch-them.html

2 users thanked author for this post.

rexr, NetDef

Reply | Quote

We’re getting more posts about there being a super-secret exploit available on the darknet. It just isn’t true. The claims on the dark net about some uber-sploit that bypasses Microsoft’s fixes aren’t true.

https://twitter.com/GossiTheDog/status/1153933620647800832

Of course, you can pay for an exploit, if you like — there are plenty for sale. But they don’t work. If they did, about 800,000 machines would be bowing to a new master right now, and we’d hear about it real fast.

I repeat: Get those older machines patched. But keep your head about you. And, no, we won’t publish any darknet rants unless they’re proven factual.

2 users thanked author for this post.

Kirsty, Myst

Reply | Quote

Sessh wrote:

So, does this mean there are folks who want this to happen? There’s now an online tutorial explaining how to use BlueKeep on a Microsoft-owned website? Sweet. They might want to do something about that, but then again maybe not.

I’m still waiting for Spectre/Meltdown exploits to be in the wild from a year and a half ago to make all the performance losses from the patches worth it for those who installed them. I guess this online tutorial is an attempt to make sure this isn’t just FUD and something actually comes of it this time.

It’s a shame FUD works so well on people even techies, but if this tutorial does cause exploits to be released into the wild, it’s on a Microsoft-owned site and are therefore responsible for it to some degree, are they not?

I think you are on to something. I wouldn’t be surprised if the FUD and tutorial is being used as a scare tactic and last ditch effort to convince folks that they need to get off of these older OSes and get on to Windows 10.

1 user thanked author for this post.

Sessh

Reply | Quote

AngryJohnny75 wrote:

Sessh wrote:

So, does this mean there are folks who want this to happen? There’s now an online tutorial explaining how to use BlueKeep on a Microsoft-owned website? Sweet. They might want to do something about that, but then again maybe not.

I’m still waiting for Spectre/Meltdown exploits to be in the wild from a year and a half ago to make all the performance losses from the patches worth it for those who installed them. I guess this online tutorial is an attempt to make sure this isn’t just FUD and something actually comes of it this time.

It’s a shame FUD works so well on people even techies, but if this tutorial does cause exploits to be released into the wild, it’s on a Microsoft-owned site and are therefore responsible for it to some degree, are they not?

I think you are on to something. I wouldn’t be surprised if the FUD and tutorial is being used as a scare tactic and last ditch effort to convince folks that they need to get off of these older OSes and get on to Windows 10.

While every alternate article here dealing with the latest Windows 10 version issues reminds us why we shouldn’t do so!

1 user thanked author for this post.

Sessh

Reply | Quote

Naw. If you think MS could organize something like this to drive Win10 migrations, you’re waaaaaaaaay overestimating their ability.

1 user thanked author for this post.

NetDef

Reply | Quote

According to this GBorn blog page from May, referring to the problem now under discussion here:

https://borncity.com/win/2019/05/15/critical-update-for-windows-xp-up-to-windows-7-may-2019/

“Starting with Windows 8, the vulnerability no longer exists in the Remote Desktop Service. Windows 7, Windows Server 2008, and Windows Server 2008 R2 receive a patch to close the vulnerability with regular Monthly Rollup or Security Online updates. ”

Does this mean that if one has already applied the May Security(etc.) patch according to one’s patching group (A or B), then one does not need to turn off the Remote Desktop Service?  I’ve had (a) this patch installed since late May and (b) prefer to turn the RDS on occasionally, to make it easier to communicate between my Mac and my Windows 7 PC. I would appreciate some advice on whether this is a good thing to do, or not, and why.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

Does this mean that if one has already applied the May Security(etc.) patch according to one’s patching group (A or B), then one does not need to turn off the Remote Desktop Service?

Yes. You are safe.

4 users thanked author for this post.

Lori, NetDef, woody, OscarCP

Reply | Quote

I hope that there is no BlueKeep like vulnerability  that’s been patched in the July 2019 “security only” update that has the telemetry because that’s not being installed on my laptops. And as far as that goes any Microsoft windows 7 “security only” patches that are not actually Security Only in fact are not getting installed.

I’ll just have to consider that the Windows 7 extended support period has expired a little early and that’s Microsoft’s fault. So let’s hope that August 2019’s Security Only patches are not of that “Security Only” variety.

I will be running windows 7 after Jan 2020 and I’ll just make sure that any personal data in no longer on the laptops after Jan 2020.  I’m not playing that cat and mouse game with Redmond’s snooping.

 

Reply | Quote

From above, “I will be running windows 7 after Jan 2020 and I’ll just make sure that any personal data in no longer on the laptops after Jan 2020.”

Maybe we use the term ‘personal data’ differently. When I use it, I am referring to all data created by me personally (the first party) while using the system (my Win7 leased copy from Microsoft, the second party). Not just my personal vital statistics and embarrassing party photos.

From my mindset, I do not see the purpose of running a system with no personal data involved. It would just be an idling lump pushing electrons through the second party’s software (the OS, Win7) for no goal, converting electrical current to light and heat.

I will be using a supported system to perform all computation and presentation of my personal data. No gamesmanship required. Just good commerce as agreed to by both parties.

Reply | Quote

Personal data removed and any windows 7 laptops just used for browsing and some other Laptop running Linux/Mac OS/Other non MS OS that’s patched and secured for any secure related usage.

So the Windows 7 laptops are only used for browsing with no logging in etc. And with those Windows 7 laptops scrubbed clean of any personal files and data that can be used for nefarious reasons.

The folks in Redmond are in for some security issues if they can not keep the spyware out of any further Windows 7 Security Only Updates up until Jan 2020 and July’s Windows 7 “Security Only” KB is not getting installed unless the telemetry is removed, BlueKeep or whatever. Security Only  means SECURITY ONLY, Microsoft!

Reply | Quote

Seems I’ve already been locked out of MS updates?  I can download them – but they won’t run! I’m no longer able to install and run them. They just sit there in my download file defying any and all attempts to actually do anything useful. I first ran Windows Installed Updates and it “searched for installed updates” for over a half hour until I finally finished cleaning the bathroom and got tired of waiting for it. I stopped it, went to MS and tried downloading the files individually. I could download them – but they wouldn’t run! I ran Malwarebytes, Windows Defender along with Wise Care 365. I can no longer run Windows Updates. I assume, of course, they would let me update to Win 10 – which is not going to happen! I

Reply | Quote

Try again in a while. There have been reports of an outage with Windows Update.

1 user thanked author for this post.

walker

Reply | Quote